Answer this for yourself-
The CISO should report to...
- CRO/Chief Legal Counsel
Articles like this one in CSO Online (Target Top security officer reporting to CIO seen as a mistake) do little besides creating more tension between those responsible for an enterprise's leadership and operational well-being. Does it make sense for the CISO to report to the CIO - of course it does. Does it make sense at Target? I don't know, I don't know the CIO well enough to say for sure whether he will weigh security issues seriously against operational responsibilities. I can tell you that he would have to be an absolute fool to disregard security given the recent spate of events there.
Recently on the Down the Rabbithole Podcast we interviewed Joe Riesberg who is the CIO at Drake University and former CISO for a world-wide financial conglomerate. Joe talked about the partnership which must exist between the CIO and CISO, and how the CIO must have at least a fundamental understanding and healthy respect for security.
So where do I believe the CISO should report to, in a healthy enterprise which understands the balance between keeping the business supported and innovative and keeping the business reasonably secured? The real answer is - it depends. My advice, stop arguing over where the CISO should report and start thinking about how the CISO can better understand and fit into the business, and partner with the rest of enterprise leadership to build a strong culture of security. We don't need any more drama or adversaries in security - we have enough of that already.